Since January 2020, cybersecurity experts at GreyNoise have been observing an intriguing phenomenon: large waves of “noise storms” containing distorted internet traffic. Despite years of careful analysis, researchers have been unable to determine the origin or purpose of these mysterious “noises,” prompting a call for assistance from the global cybersecurity community.
The Nature of the “Noise Storms”
These anomalous traffic patterns exhibit several distinctive characteristics:
- Waves of fake internet traffic originating from millions of spoofed IP addresses
- Traffic sources include CDNs of Chinese platforms like QQ, WeChat, and WePay
- Targeted at specific providers (e.g., Cogent, Lumen, and Hurricane Electric) while avoiding others like Amazon Web Services (AWS)
- Primarily focused on TCP connections, especially through port 443
- Presence of numerous ICMP packets, recently containing an embedded ASCII string “LOVE”
Technical Intricacies and Camouflage Techniques
The “noise storms” employ sophisticated methods to evade detection and mimic legitimate network activity:
- Manipulation of TCP traffic parameters, such as window size, to emulate various operating systems
- Time to Live (TTL) values set between 120 and 200 to simulate authentic network hops
- Overall format and characteristics suggesting deliberate action by a competent individual rather than large-scale misconfiguration side effects
Potential Implications and Theories
Cybersecurity analysts have proposed several hypotheses regarding the purpose of these “noise storms”:
- Secret communications channels
- Coordination signals for DDoS attacks
- Hidden command and control channels for malware
- Possible results of misconfiguration
The presence of the ASCII string “LOVE” in the observed ICMP packets adds another layer of intrigue to the situation, further complicating efforts to decipher the true nature of these anomalies.
Community Collaboration and Next Steps
In an effort to solve this cybersecurity puzzle, GreyNoise has taken several steps to engage the wider infosec community:
- Publication of PCAP data from two recent “noise storms” on GitHub
- Invitation for other security researchers to join the investigation
- Release of a detailed analysis video on YouTube
As the cybersecurity landscape continues to evolve, phenomena like these “noise storms” underscore the importance of collaboration and information sharing within the global security community. By pooling resources and expertise, researchers hope to unravel this mystery and potentially uncover new insights into emerging threats or communication methods in the digital realm. The resolution of this enigma could have significant implications for network security, traffic analysis, and the detection of covert online activities.
